How to Setup a Google Service Account to Send Email via GMail
To use a Google Service Account to send emails from your Gmail account in a back-end process, you will need to follow a few steps to enable service account access and authenticate it correctly using OAuth 2.0. This process typically involves using domain-wide delegation if you’re accessing user data (such as sending email on behalf of a Gmail account).
Steps to Set Up Google Service Account for Sending Email
- Create a Google Service Account.
- Enable Gmail API for the project.
- Enable Domain-Wide Delegation (for G Suite/Google Workspace users).
- Grant the Service Account permission to access Gmail.
- Send email via Gmail API using the service account credentials and domain-wide delegation.
Detailed Steps:
1. Create a Google Service Account
- Go to the Google Cloud Console and create a new project (if you don’t already have one).
- Navigate to IAM & Admin > Service Accounts.
- Click on Create Service Account and give it a name (e.g., “Gmail Service Account”).
- Under Key type, select JSON and save the private key file. This file will be used to authenticate the service account.
2. Enable the Gmail API
- In the Google Cloud Console, go to APIs & Services > Library.
- Search for Gmail API and click Enable.
3. Enable Domain-Wide Delegation (for Google Workspace users)
Domain-wide delegation is required to allow the service account to access Gmail on behalf of a user in your domain.
- In the Service Accounts page in Google Cloud Console, click on the service account that was created.
- Click Edit for the service account, and check the box for Enable G Suite Domain-wide Delegation.
- Save changes.
4. Grant the Service Account Permission to Access Gmail
You now need to authorize the service account to access the Gmail API on behalf of your Gmail account or a user in your Google Workspace domain.
- If you are using Google Workspace, go to your Google Admin Console.
- In the Admin Console, navigate to Security > API Controls > Domain-wide Delegation.
- Click Add new under Domain-wide Delegation and enter the Client ID of the service account and specify the OAuth scopes it should have access to.Scopes for Gmail API:
https://www.googleapis.com/auth/gmail.send
5. Use the Service Account to Send Email via Gmail API
Once the service account has been granted the appropriate permissions, you can now authenticate and use the Gmail API to send emails.
Key Points to Remember:
- Domain-Wide Delegation: This is required if you’re using Google Workspace (formerly G Suite) and want to impersonate users in your domain.
- OAuth2 Scopes: The Gmail API requires specific OAuth2 scopes (“https://www.googleapis.com/auth/gmail.send”) to send emails. Make sure the service account has these permissions.
- Private Key Security: The JSON key file contains sensitive information. Keep it secure and avoid sharing or exposing it in public repositories.
Summary:
- Create a service account in Google Cloud and enable the Gmail API.
- Enable domain-wide delegation if you’re using Google Workspace and grant access via the Admin Console.
- Use the service account credentials to authenticate and delegate access to the Gmail account using the Gmail API.
- Write the backend process using OAuth2 and the Gmail API to send emails on behalf of your Gmail account.
This method allows your backend process to send emails securely from your Gmail account using a Google Service Account.